ExternalVendorCode/serval-dna
1
0
Fork 0
mirror of https://github.com/servalproject/serval-dna.git synced 2024-12-22 06:27:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactored obfuscated sender crypto.

Browse Source
This commit is contained in:
gardners 2013-05-14 14:30:35 +09:30
parent 6bd2befa0e
commit a1fb2c7362
3 changed files with 201 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
meshms.c
View File

@ -23,190 +23,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#include "log.h" #include "log.h"
#include "conf.h" #include "conf.h"
int meshms_generate_outgoing_bid(rhizome_manifest *m,
const unsigned char *sender_sid,
const char *recipient_sid_hex)
{
// BIDprivate =SHA512(”moose”+recipientSID+RS+”anconal”+recipientSID+ ”capital gains tax”)
const unsigned char *rs;
int rs_len;
if (rhizome_find_secret(sender_sid,&rs_len,&rs))
return WHYF("Could not find rhizome secret for: '%s'",
alloca_tohex(sender_sid,SID_SIZE));
return -1;
if (rs_len>256) rs_len=256; // limit to first 2048 bits of rhizome secret
if (rs_len<128) return WHYF("Rhizome secret too short");
char *rs_hex=alloca_tohex(rs,rs_len);
char secret[1024];
unsigned char hash[crypto_hash_sha512_BYTES];
snprintf(secret,1024,"moose%s%sanconal%scapital gains tax",
recipient_sid_hex,rs_hex,recipient_sid_hex);
crypto_hash_sha512(hash, (unsigned char *)secret, strlen(secret));
// The first 256 bits of the hash will be used as the private key of the BID.
bcopy(hash,m->cryptoSignSecret,
crypto_sign_edwards25519sha512batch_SECRETKEYBYTES);
if (crypto_sign_compute_public_key(m->cryptoSignSecret,m->cryptoSignPublic))
return WHY("Could not compute BID");
// Clear out sensitive data
bzero(secret,1024);
bzero(rs_hex,strlen(rs_hex));
bzero(hash,crypto_hash_sha512_BYTES);
return 0;
}
int meshms_xor_obfuscated_sid(unsigned char *xor_sid,
const unsigned char *known_sid_secret,
const char *other_sid_hex)
{
sid_t otherSid;
if (str_to_sid_t(&otherSid, other_sid_hex)==-1)
return WHY("Could not parse foreign SID");
unsigned char nm_bytes[crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES];
if (crypto_box_curve25519xsalsa20poly1305_beforenm(nm_bytes,
otherSid.binary,
known_sid_secret))
return WHY("crypto_box_beforenm() failed");
char secret[strlen("Salt String 1")+crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES+strlen("Salt String 1")];
unsigned char hash[crypto_hash_sha512_BYTES];
int o=0,l;
l=strlen("Salt String 1");
bcopy("Salt String 1",&secret[o],l); o+=l;
l=crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES;
bcopy(nm_bytes,&secret[o],l); o+=l;
l=strlen("Salt String 2");
bcopy("Salt String 2",&secret[o],l); o+=l;
// Hash secret to get sender obfuscation XOR string
crypto_hash_sha512(hash, (unsigned char *)secret, strlen(secret));
int i;
for(i=0;i<SID_SIZE;i++) xor_sid[i]^=hash[i];
// Clear out sensitive data
bzero(hash,crypto_hash_sha512_BYTES);
bzero(secret,sizeof(secret));
bzero(nm_bytes,sizeof(nm_bytes));
return 0;
}
int meshms_set_obfuscated_sender(rhizome_manifest *m,
const char *sender_sid_to_obfuscate_hex,
const char *recipient_sid_hex) {
// Generate shared secret.
// This function assumes it is being called from the sending side, and so
// the combination is private key of disposable SID (which we will generate)
// and public key of the recipient, as already available from the manifest.
// sender=Disposable\, SID
// SS=SharedSecret(Disposable\, SID\, private\, key,Recipient\, SID\, public\, key)
// b=SHA512("Salt\, String\,1"+SS+"Salt\, String\,2")
// ssender=b\oplus Sender\, SID
unsigned char disposable_sid[crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES];
unsigned char disposable_sid_secret[crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES];
if (crypto_box_curve25519xsalsa20poly1305_keypair(disposable_sid,
disposable_sid_secret))
return WHY("Failed to generate disposable SID");
sid_t obSid;
if (str_to_sid_t(&obSid, sender_sid_to_obfuscate_hex)==-1)
if (meshms_xor_obfuscated_sid(obSid.binary,disposable_sid_secret,
recipient_sid_hex))
return WHY("Failed to XOR sender to produce obfuscated SID");
char *sender_hex=alloca_tohex(disposable_sid,SID_SIZE);
char *ssender_hex=alloca_tohex(obSid.binary,SID_SIZE);
rhizome_manifest_set(m, "sender", sender_hex);
rhizome_manifest_set(m, "ssender", ssender_hex);
return 0;
}
int manifest_recover_obfuscated_sender(rhizome_manifest *m)
{
// There are two possiblities here:
// 1. We made the manifest, and are the real sender.
// 2. We are the named recipient, and can attempt to recover the
// real sender.
// The process of attempting to recover the real sender is different for each.
{
// Get recipient
char *recipient_hex=rhizome_manifest_get(m, "recipient", NULL, 0);
// For each of our SIDs, see if we can reproduce the manifest ID
sid_t recipient_sid;
if (cf_opt_sid(&recipient_sid,recipient_hex)!=CFOK)
return WHYF("Unable to parse recipient sid from manifest");
sid_t ssender;
char *ssender_hex=rhizome_manifest_get(m, "ssender", NULL, 0);
if (!ssender_hex||(!ssender_hex[0])||cf_opt_sid(&ssender,ssender_hex)!=CFOK)
// missing or mal-formed ssender field, so cannot extract real sender.
// this is normal for non obfuscated sender bundles, so don't report an
// error.
return -1;
int cn=0,in=0,kp=0;
rhizome_manifest *m2=rhizome_new_manifest();
while (keyring_find_sid(keyring,&cn,&in,&kp,recipient_sid.binary))
{
// SID is in keyring->contexts[cn]->identities[in]
// ->keypairs[kp]->public_key
// 2. See if we are the recipient
if (!memcmp(recipient_sid.binary,
keyring->contexts[cn]->identities[in]
->keypairs[kp]->public_key,
crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES))
{
// We are the recipient -- so we can extract the sender
if (!meshms_xor_obfuscated_sid(ssender.binary,
keyring->contexts[cn]->identities[in]
->keypairs[kp]->private_key,
recipient_hex))
{
return rhizome_manifest_set_real_sender(m,ssender.binary);
}
}
// 1. See if we made the manifest
if (meshms_generate_outgoing_bid(m2,
keyring->contexts[cn]->identities[in]
->keypairs[kp]->public_key,
recipient_hex))
continue;
if (!memcmp(m->cryptoSignPublic,m2->cryptoSignPublic,
crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES))
{
// Bingo! We created this.
// Set the real sender in the manifest, and return
rhizome_manifest_free(m2);
return rhizome_manifest_set_real_sender(m,
keyring->contexts[cn]
->identities[in]
->keypairs[kp]->public_key);
}
}
rhizome_manifest_free(m2);
}
// Not found
return -1;
}
rhizome_manifest *meshms_find_or_create_manifestid rhizome_manifest *meshms_find_or_create_manifestid
(const char *sender_sid_hex,const char *recipient_sid_hex, int createP) (const char *sender_sid_hex,const char *recipient_sid_hex, int createP)
{ {
@ -253,7 +69,8 @@ rhizome_manifest *meshms_find_or_create_manifestid
rhizome_manifest_free(m); rhizome_manifest_free(m);
return NULL; return NULL;
} }
if (meshms_generate_outgoing_bid(m,sender_sid.binary,recipient_sid_hex)) { if (rhizome_obfuscated_manifest_generate_outgoing_bid
(m,sender_sid.binary,recipient_sid_hex)) {
WHY("meshms_generate_outgoing_bid() failed"); WHY("meshms_generate_outgoing_bid() failed");
rhizome_manifest_free(m); rhizome_manifest_free(m);
return NULL; return NULL;
@ -269,7 +86,7 @@ rhizome_manifest *meshms_find_or_create_manifestid
// 1. Set sender=<a disposable sid> and // 1. Set sender=<a disposable sid> and
// 2. ssender=<mechanism to retrieve real sender if you are the recipient> // 2. ssender=<mechanism to retrieve real sender if you are the recipient>
// This is done by the following function // This is done by the following function
if (meshms_set_obfuscated_sender(m,sender_sid_hex,recipient_sid_hex)) { if (rhizome_manifest_set_obfuscated_sender(m,sender_sid_hex,recipient_sid_hex)) {
WHY("meshms_set_obfuscated_sender() failed"); WHY("meshms_set_obfuscated_sender() failed");
rhizome_manifest_free(m); rhizome_manifest_free(m);
return NULL; return NULL;

9
rhizome.h
View File

@ -252,8 +252,17 @@ int rhizome_drop_stored_file(const char *id,int maximum_priority);
int rhizome_manifest_priority(sqlite_retry_state *retry, const char *id); int rhizome_manifest_priority(sqlite_retry_state *retry, const char *id);
int rhizome_read_manifest_file(rhizome_manifest *m, const char *filename, int bufferPAndSize); int rhizome_read_manifest_file(rhizome_manifest *m, const char *filename, int bufferPAndSize);
int rhizome_hash_file(rhizome_manifest *m, const char *filename,char *hash_out); int rhizome_hash_file(rhizome_manifest *m, const char *filename,char *hash_out);
int rhizome_manifest_set_real_sender(rhizome_manifest *m, int rhizome_manifest_set_real_sender(rhizome_manifest *m,
const unsigned char *sid_binary); const unsigned char *sid_binary);
int rhizome_obfuscated_manifest_generate_outgoing_bid
(rhizome_manifest *m,
const unsigned char *sender_sid,
const char *recipient_sid_hex);
int rhizome_manifest_set_obfuscated_sender(rhizome_manifest *m,
const char *sender_sid_to_obfuscate_hex,
const char *recipient_sid_hex);
char *rhizome_manifest_get(const rhizome_manifest *m, const char *var, char *out, int maxlen); char *rhizome_manifest_get(const rhizome_manifest *m, const char *var, char *out, int maxlen);
long long rhizome_manifest_get_ll(rhizome_manifest *m, const char *var); long long rhizome_manifest_get_ll(rhizome_manifest *m, const char *var);
int rhizome_manifest_set_ll(rhizome_manifest *m,char *var,long long value); int rhizome_manifest_set_ll(rhizome_manifest *m,char *var,long long value);

189
rhizome_crypto.c
View File

@ -588,6 +588,191 @@ int rhizome_crypt_xor_block(unsigned char *buffer, int buffer_size, int64_t stre
return 0; return 0;
} }
int rhizome_manifest_xor_obfuscated_sid(unsigned char *xor_sid,
const unsigned char *known_sid_secret,
const char *other_sid_hex)
{
sid_t otherSid;
if (str_to_sid_t(&otherSid, other_sid_hex)==-1)
return WHY("Could not parse foreign SID");
unsigned char nm_bytes[crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES];
if (crypto_box_curve25519xsalsa20poly1305_beforenm(nm_bytes,
otherSid.binary,
known_sid_secret))
return WHY("crypto_box_beforenm() failed");
char secret[strlen("Salt String 1")+crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES+strlen("Salt String 1")];
unsigned char hash[crypto_hash_sha512_BYTES];
int o=0,l;
l=strlen("Salt String 1");
bcopy("Salt String 1",&secret[o],l); o+=l;
l=crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES;
bcopy(nm_bytes,&secret[o],l); o+=l;
l=strlen("Salt String 2");
bcopy("Salt String 2",&secret[o],l); o+=l;
// Hash secret to get sender obfuscation XOR string
crypto_hash_sha512(hash, (unsigned char *)secret, strlen(secret));
int i;
for(i=0;i<SID_SIZE;i++) xor_sid[i]^=hash[i];
// Clear out sensitive data
bzero(hash,crypto_hash_sha512_BYTES);
bzero(secret,sizeof(secret));
bzero(nm_bytes,sizeof(nm_bytes));
return 0;
}
int rhizome_manifest_set_obfuscated_sender(rhizome_manifest *m,
const char *sender_sid_to_obfuscate_hex,
const char *recipient_sid_hex) {
// Generate shared secret.
// This function assumes it is being called from the sending side, and so
// the combination is private key of disposable SID (which we will generate)
// and public key of the recipient, as already available from the manifest.
// sender=Disposable\, SID
// SS=SharedSecret(Disposable\, SID\, private\, key,Recipient\, SID\, public\, key)
// b=SHA512("Salt\, String\,1"+SS+"Salt\, String\,2")
// ssender=b\oplus Sender\, SID
unsigned char disposable_sid[crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES];
unsigned char disposable_sid_secret[crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES];
if (crypto_box_curve25519xsalsa20poly1305_keypair(disposable_sid,
disposable_sid_secret))
return WHY("Failed to generate disposable SID");
sid_t obSid;
if (str_to_sid_t(&obSid, sender_sid_to_obfuscate_hex)==-1)
if (rhizome_manifest_xor_obfuscated_sid(obSid.binary,disposable_sid_secret,
recipient_sid_hex))
return WHY("Failed to XOR sender to produce obfuscated SID");
char *sender_hex=alloca_tohex(disposable_sid,SID_SIZE);
char *ssender_hex=alloca_tohex(obSid.binary,SID_SIZE);
rhizome_manifest_set(m, "sender", sender_hex);
rhizome_manifest_set(m, "ssender", ssender_hex);
return 0;
}
int rhizome_obfuscated_manifest_generate_outgoing_bid
(rhizome_manifest *m,
const unsigned char *sender_sid,
const char *recipient_sid_hex)
{
// BIDprivate =SHA512(”moose”+recipientSID+RS+”anconal”+recipientSID+ ”capital gains tax”)
const unsigned char *rs;
int rs_len;
if (rhizome_find_secret(sender_sid,&rs_len,&rs))
return WHYF("Could not find rhizome secret for: '%s'",
alloca_tohex(sender_sid,SID_SIZE));
return -1;
if (rs_len>256) rs_len=256; // limit to first 2048 bits of rhizome secret
if (rs_len<128) return WHYF("Rhizome secret too short");
char *rs_hex=alloca_tohex(rs,rs_len);
char secret[1024];
unsigned char hash[crypto_hash_sha512_BYTES];
snprintf(secret,1024,"moose%s%sanconal%scapital gains tax",
recipient_sid_hex,rs_hex,recipient_sid_hex);
crypto_hash_sha512(hash, (unsigned char *)secret, strlen(secret));
// The first 256 bits of the hash will be used as the private key of the BID.
bcopy(hash,m->cryptoSignSecret,
crypto_sign_edwards25519sha512batch_SECRETKEYBYTES);
if (crypto_sign_compute_public_key(m->cryptoSignSecret,m->cryptoSignPublic))
return WHY("Could not compute BID");
// Clear out sensitive data
bzero(secret,1024);
bzero(rs_hex,strlen(rs_hex));
bzero(hash,crypto_hash_sha512_BYTES);
return 0;
}
int manifest_recover_obfuscated_sender(rhizome_manifest *m)
{
// There are two possiblities here:
// 1. We made the manifest, and are the real sender.
// 2. We are the named recipient, and can attempt to recover the
// real sender.
// The process of attempting to recover the real sender is different for each.
{
// Get recipient
char *recipient_hex=rhizome_manifest_get(m, "recipient", NULL, 0);
// For each of our SIDs, see if we can reproduce the manifest ID
sid_t recipient_sid;
if (cf_opt_sid(&recipient_sid,recipient_hex)!=CFOK)
return WHYF("Unable to parse recipient sid from manifest");
sid_t ssender;
char *ssender_hex=rhizome_manifest_get(m, "ssender", NULL, 0);
if (!ssender_hex||(!ssender_hex[0])||cf_opt_sid(&ssender,ssender_hex)!=CFOK)
// missing or mal-formed ssender field, so cannot extract real sender.
// this is normal for non obfuscated sender bundles, so don't report an
// error.
return -1;
int cn=0,in=0,kp=0;
rhizome_manifest *m2=rhizome_new_manifest();
while (keyring_find_sid(keyring,&cn,&in,&kp,recipient_sid.binary))
{
// SID is in keyring->contexts[cn]->identities[in]
// ->keypairs[kp]->public_key
// 2. See if we are the recipient
if (!memcmp(recipient_sid.binary,
keyring->contexts[cn]->identities[in]
->keypairs[kp]->public_key,
crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES))
{
// We are the recipient -- so we can extract the sender
if (!rhizome_manifest_xor_obfuscated_sid(ssender.binary,
keyring->contexts[cn]->identities[in]
->keypairs[kp]->private_key,
recipient_hex))
{
return rhizome_manifest_set_real_sender(m,ssender.binary);
}
}
// 1. See if we made the manifest
if (rhizome_obfuscated_manifest_generate_outgoing_bid
(m2,
keyring->contexts[cn]->identities[in]
->keypairs[kp]->public_key,
recipient_hex))
continue;
if (!memcmp(m->cryptoSignPublic,m2->cryptoSignPublic,
crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES))
{
// Bingo! We created this.
// Set the real sender in the manifest, and return
rhizome_manifest_free(m2);
return rhizome_manifest_set_real_sender(m,
keyring->contexts[cn]
->identities[in]
->keypairs[kp]->public_key);
}
}
rhizome_manifest_free(m2);
}
// Not found
return -1;
}
int rhizome_derive_key(rhizome_manifest *m, rhizome_bk_t *bsk) int rhizome_derive_key(rhizome_manifest *m, rhizome_bk_t *bsk)
{ {
// don't do anything if the manifest isn't flagged as being encrypted // don't do anything if the manifest isn't flagged as being encrypted
@ -598,6 +783,10 @@ int rhizome_derive_key(rhizome_manifest *m, rhizome_bk_t *bsk)
char *sender = NULL; char *sender = NULL;
sid_t sender_sid, recipient_sid; sid_t sender_sid, recipient_sid;
if (rhizome_manifest_get(m, "ssender", NULL, 0)) {
if (manifest_recover_obfuscated_sender(m))
return WHYF("Sender SID is obfuscated, and we are not party to the bundle");
}
if (m->obfuscatedSenderP) { if (m->obfuscatedSenderP) {
sender="obfuscated"; sender="obfuscated";
memcpy(m->realSender,sender_sid.binary,SID_SIZE); memcpy(m->realSender,sender_sid.binary,SID_SIZE);